Quantum Arithmetic on Galois Fields 



Stephane Beauregard, Gilles Brassard, Jose Manuel Fernandez 

11 April 2002 



Abstract 

In this paper we discuss the problem of performing elementary 
finite field arithmetic on a quantum computer. Of particular interest, 
is the controlled-multiplication operation, which is the only group- 
specific operation in Shor's algorithms for factoring and solving the 
Discrete Log Problem. We describe how to build quantum circuits for 
performing this operation on the generic Galois fields GF(p k ), as well 
as the boundary cases GF(p) and GF(2 fe ). We give the detailed size, 
width and depth complexity of such circuits, which ultimately will 
allow us to obtain detailed upper bounds on the amount of quantum 
resources needed to solve instances of the DLP on such fields. 



1 Introduction 

The most significant event in the short history of Quantum Computing is 
the discovery of an efficient algorithm for factoring integers by Peter Shor in 
1994. The algorithm was initially described at a high level, and it assumed 
the existence of an efficient quantum black box capable of computing integer 
modular exponentiation, i.e. computing a x mod N, given an integer x, and 
previously known ( "hardwired" ) integers a and N, the latter being the integer 
that we want to factor. Shor did not bother to describe in detail such a black 
box, as it is trivial to show that such a box exists. There are several classical 
circuits that compute them efficiently, and any of those could in principle be 
transformed into a quantum circuit, also of polynomial size. 

While it is clear that the overhead of such a conversion is always repre- 
sented by a bounded degree polynomial, the question arises of exactly how 
small it can be. Given the fact that building large scale quantum computers, 
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even of a few hundred qubits, represents a formidable technological challenge, 
it becomes paramount to know exactly how many qubits, and also exactly 
how many operations are required to construct such black boxes. The im- 
portance of this knowledge cannot be overemphasized, given the potential 
cryptanalytic applications that an efficient factoring algorithm can have. 

The exact complexity of performing modular exponentiations will depend 
on the complexity of performing simpler arithmetic operations such as addi- 
tion and multiplication. In fact, in the context of Shor's algorithm, the black 
box for exponentiation can be substituted for by a limited number of black 
boxes performing controlled modular multiplications, where one of the two 
factors is a previously known (i.e. "hardwired") value a. Thus, once we have 
established the exact complexity of implementing these controlled multipli- 
cations, it becomes in turn possible to determine the exact complexity of the 
overall quantum factoring algorithm. 

In the case of factoring, we are dealing with integer arithmetic and the 
topic of quantum integer and modular arithmetic has already been well stud- 
ied, and satisfactorily resolved. 

Nonetheless, in order to fully consider the cryptanalytic potential of quan- 
tum computers, one must also consider the Discrete Log algorithm introduced 
by Shor at the same time as his factoring algorithm. This algorithm was also 
described at a high level in terms of a quantum black box computing double 
exponentiations, i.e. obtaining values a x b y , given integers x and y and for 
fixed, multiplicative group elements a and b. As is the case for simple ex- 
ponentiation, one can show that such "efficient" quantum circuits exist for 
implementing these other kind of black box, but the same questions arise 
about exactly how many resources are needed to build and evaluate them. 
Furthermore, it can also be shown that these double exponentiation can be 
substituted with a known, exact number of controlled multiplications. 

Nonetheless, the situation is made more complex by the fact that the Dis- 
crete Logarithm Problem (DLP) can be defined on any commutative group. 
Thus, in addition to consider integer modular arithmetic, one must also con- 
sider quantum arithmetic on suitable representations of these other groups. 
Of particular interest is the DLP defined on the multiplicative groups of the 
Galois Fields, again given its obvious cryptanalytic applications. Also in 
that category are groups based on elliptic and hyper-elliptic curves. While 
arithmetic of points on an elliptic curve is quite different from arithmetic on 
elements of Galois Fields, it is common to define these curves on a vector 
space over the Galois Fields. In either case, the importance of knowing the 
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exact complexity of performing Galois Field arithmetic, and in particular 
that of performing controlled multiplications is made obvious. 

In this paper, we study precisely this question. In the next sections, we 
will study independently the three different cases of Galois Fields, i.e. GF(p), 
GF(2 fe ), and GF(p k ), where k is an integer, and p a prime bigger than 2. 

2 Quantum Arithmetic in GF(p) 

We first consider the arithmetic in the Galois field GF(p), where p is an n-bit 
prime integer. The Galois field GF(p) is isomorphic to the integers modulo p. 
We will devise a circuit to implement the controlled multiplication modulo 
p on a quantum computer. It is important to realize at this point that the 
value p is a classical value and can be hardwired in the circuit. Moreover, 
the value a by which we will multiply can also be hardwired in the circuit 
since it will be given as a classical input. 

The most straightforward way to get a multiplication circuit is by succes- 
sive addition of classical values modulo p. This method also seems to be the 
most qubit-efficient one. To get to this successive addition circuit, we begin 
with the simple addition of a classical value to a quantum register. 

2.1 The adder gate for integers 

The adder gate for integers is simply a circuit that adds a classical value to a 
quantum register. We consider two ways of doing this. The first is an adap- 
tation of the carry-sum adder of Vedral, Barenco and Ekert pQ (Figure Q). 

This circuit requires 2n qubits to add a value without overflows because 
the first qubit of figure [T] is not needed. It uses O(n) elementary gates in 
linear depth. 

The second method uses an adder from Draper [2] that we will call the 
0-adder (Figure |2J). The 0-adder takes the quantum Fourier transform of a 
qubit register \z) to the quantum Fourier transform of the sum z + a, where a 
is a classical value hardwired in the 0-adder. The advantage of this method is 
that it does not need extra qubits for carries. Furthermore, the fact that we 
only need to add a classical value helps to simplify the 0-adder. However, a 
quantum Fourier transform has to be applied to the quantum register before 
and after the 0-adder, so we end up using more elementary gates than with 
the carry- sum adder. 
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Figure 1: The carry-sum adder of Vedral, Barenco and Ekert modified to add a 
classical value (a) to the quantum register \z) 




This circuit requires only n + 1 qubits to add a value without overflows 
as in figure El What we call the </>-adder does not include the QFTs since 
they are often not needed. The 0-adder requires O(n) elementary gates in 
constant depth if we exclude the QFTs. If the 0-adder has to be controlled 
be another qubit, its depth becomes linear. 

We need 0(n 2 ) elementary gates in depth O(n) to implement the exact 
QFT on an (n + l)-qubit register. 

2.2 The adder gate for GF(p) 

Once we have a circuit to add a classical value to a quantum register, we 
can use it to build a circuit that implements the addition of a classical value 
modulo p. This adder for GF(p) (Figure OJ) will need to be controlled by two 
qubits in order to be used in a controlled multiplication circuit. After the 
addition of a and the subtraction of p, we access the most significant qubit 
of the register. If that qubit is |1), then an overflow occured and we have 
to add back p to the register. The rest of the circuit is needed to restore 
the ancillary qubits back to the value |0). Only the ADD(a) gates need to 
be controlled by the control qubits because the rest of the circuit does not 
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Figure 2: The </>-adder. The fact that the value a is classical helps to simplify the 
adder. 



change the input if it is less than p. Since this circuit implements addition 
in GF(p), we require the quantum input to be a superposition of elements of 
GF(p), or integers less than p. 

The adder for GF(p) requires 2n + l qubits when not controlled and 2n + 3 
when controlled by two qubits. The number of elementary gates needed is 
O(n) in linear depth. 

We can also build an adder for GF(p) gate from 0-adders using essentially 
the same method. This will be called the 0-adder for GF(p) Figure 0]). It 
will however be necessary to use QFTs to access the most significant qubit 
when we need to check for the overflow and to restore that qubit. For the 
same reason than before, those QFTs do not have to be controlled by the 
control qubits, so it is possible to implement them in linear depth without 
ancillary qubits. 

The 0- adder for GF(p) requires n + 2 qubits when not controlled and n + 4 
when controlled by two qubits. The number of elementary gates needed is 
0(n 2 ) in depth O(n). 
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Figure 3: The adder for GF(p) controlled by qubits c\ and C2. The value a and 
the input \z) are both smaller than p. 



2.3 The controlled multiplication gate for GF(p) 

Once we have a gate that adds a classical value (a) modulo p to a quantum 
register \z), it is quite simple to implement the controlled multiplication 
gate. We first build a circuit that takes as input a control qubit |c), a 
quantum register \x) and another quantum register \z) which will be used 
as an accumulator. We know beforehand that the \z) register contains a 
superposition of values, all of which are smaller than p. Applying successive 
modular adders of 2°a, 2 1 a, 2 n a, the circuit leaves |c) and \x) unchanged. 
The \z) register is unchanged if c = and goes to \z + axmod p) if c = 1. 
This will be called the add-mult gate (Fig. EJ) . 

The problem with the add-mult circuit is that it does not take the \x) 
register directly to the product |(ax)mod p) as needed for the DLP algorithm 
to work. We can however use the add-mult gate to build a new circuit that 
does exactly what we need. We begin with a control qubit |c) and two 
registers: \x) and |0 n ). After an add-mult gate, |c) and \x) are unchanged 
while |0 n ) goes to |(ax)mod p) assuming c = 1. We then apply a controlled 
swap gate (Figure |HJ) to interchange \x) and |(ax)modp). Finally, we apply 
an inverse add-mult gate with the classically computed value a -1 . The effect 
of this gate, always assuming c = 1, is to leave the top register in state 
| (ax) mod p) while the bottom register goes to \{x — a^ax) mod p) = |0 n ). If 
c = 0, all the registers are unchanged. We thus finally obtain the controlled 
multiplication gate (Figure |7|). 

The controlled swap of two n-qubit registers controlled by an additional 
qubit thus requires 2n + 1 qubits and O(n) elementary gates in a depth of 



6 



t 



|<*>("z)> 



|0> 









A 




A 


: D 




D 


D 




D 


(a) 




(P) 



QFT 1 



QFT 



-e- 









A 




A 


D 




D 


D 




D 


(P) 




(a) 



QFT 1 



QFT 



A 
D 
D 

(a) 



\$>(z)) 



1 

A 
D 
D 

(a) 
mod 



-e- 



|<J>(Ya+z )modp^ 



<J>(fa+z 



Figure 4: The 0-adder for GF(p) controlled by qubits c\ and C2. The value a and 
the input \z) are both smaller than p. 



0(n). The swapped registers have only n qubits because the extra qubit 
that was included to prevent overflows during the modular adder is always 
restored to |0), so it does not need to be swapped. 

If the carry-sum adder is used to build the controlled multiplication gate, 
we need a total of 3n + 2 qubits and 0(n 2 ) elementary gates in a depth of 
0(n 2 ). If the 0-adder is used however, we need only 2n + 3 qubits but 0(n 3 ) 
elementary gates, again in a depth of 0(n 2 ). 

3 Quantum arithmetic in GF(2 n ) 

We will now consider the DLP in the Galois field GF(2 n ), so that n will 
be the size of the inputs. The elements of GF(2 n ) can be represented as 
polynomials of degree n — 1 over GF(2), or lists of n bits representing the 
coefficients of the polynomials. The product of two elements of GF(2 n ) is 
the product of their polynomials modulo an irreducible fixed polynomial Q 
of degree n on GF(2). The structure of GF(2") with multiplication modulo 
Q is independent of the choice of Q. Addition in GF(2) is simply the XOR 
operation since there is no carries in polynomial addition. 
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Figure 5: The add-mult gate. We can replace the modular adders by modular bl- 
adders, in which case we have to apply the QFT and its inverse on the \z) register 
respectively before and after the add-mult gate. 
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A simple way to obtain the product of two elements of GF(2 n ) is the 
following (see Figure |SJ): 

1. Given a = (a n _i, ai, a ) and x = (x n _i, xi, x ) where 
and bits, precompute the polynomials Aiq\ = a, Am = 
(a n _ 1; ...,a ,0)mod Q, A (2 ) = (a n _i, a , 0, 0)mod Q, ... , A (n ) = 
(a n _i, a , 0, 0)mod Q. All those polynomials are of degree n — 1 

at most. 

2. Take the product modulo 2 of with the coefficients of A^ for < 
i < n. 

3. Add modulo 2 the coefficients of each polynomial XiAu^ to obtain the 
resulting polynomial r. 
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Figure 7: The controlled multiplication gate. The add-mult gate with a bar on 
the left is an inverse add-mult. 
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Figure 8: The product of two polynomials in GF(2 n ) 



Since addition modulo 2 is simply the XOR gate, it is very easy to im- 
plement on a quantum computer. Better yet, the polynomials a and Q are 
classical values given beforehand, so we can easily precompute all the 
classically. 

3.1 The adder gate for GF(2 n ) 

The adder gate for GF(2 n ) is very simple. We have a quantum register \x) 
and want to add a classical value a to it, so we only have to apply a NOT 
gate on every qubits of \x) corresponding to a non-zero bit of a (Figure EJ). 
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No gate is applied on qubits corresponding to bits of a with value 0. 




Figure 9: The adder for GF(2 n ). The value a is classical, while \x) is a quantum 
register 

This adder can be used to add any given polynomial of degree n — 1 over 
GF(2), an element of GF(2 n ), to a quantum register \x). In general, many 
elements of GF(2 n ) will be in quantum superposition in this register. 

The adder for GF(2 n ) is implementable directly on the n qubits of the 
quantum register. Since there are no carries, there is no need to worry about 
overflows. The number of elementary gates needed is O(n) and the depth is 
constant if the adder for GF(2 n ) is not controlled but changes to linear depth 
if it is controlled. 

3.2 The controlled multiplication gate for GF(2 n ) 

Now that we have an adder for GF(2 n ), we can carry on and build a multiplier 
gate for GF(2 n ). We will use essentially the same idea as with GF(p). We 
build the add- mult gate by successively adding the precomputed values , 
A(i), ... , A( n ) to a register \z). The adder gate which adds the polynomial 
Au) is controlled by the qubit Xi (Figure [TUJ) • 

We are now set to use the trick with the controlled-swap to obtain the 
controlled multiplication. The idea is the same as with GF(p). We obtain a 
gate that takes a control qubit |c) and two registers \x) and |0 n ) as inputs 
and outputs |c), \x) and |0 n ) or \a ■ x) depending on c (Figure [TTJ). Again, 
this is the only non-trivial gate needed to solve the DLP in GF(2 n ). 

This controlled multiplication for GF(2 n ) requires 2n+l qubits and 0(n 2 ) 
gates in a depth of 0(n 2 ). 
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Figure 10: The add-mult gate for GF(2 n ). 
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Figure 11: The controlled multiplication gate for GF(2 n ) and GF(p fc ). 



4 Quantum Arithmetic in GF(p fc ) 

We now concentrate on quantum arithmetic in the Galois field GF{p k ). For 
future comparison purposes, we define n = k\lg(p)~\, which is the size of an 
element in GF(p k ). The elements of GF(p k ) can be represented by polyno- 
mials of degree at most k — 1 over GF(p). They can thus be represented 
by lists of k integers, each of these of size |"lg(p)] bits for a total of n bits. 
The product of two elements of GF(p fc ) is the product of their polynomials 
modulo an fixed irreducible polynomial Q of degree k over GF(p). As was 
the case with GF(2 n ), the structure of GF(p fe ) is independent of the choice 
of Q. The product of the polynomials before reduction modulo Q are taken 
on GF(p), which means the coefficients are multiplied modulo p. 

We can obtain the product of two polynomials of GF(p k ) with the follow- 
ing method (see Figure IT2|): 
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1. Given a = (a^-i, ai, ao) an d # — ( x k-i, ■■■■> x i, x o) where 
Oj and are numbers with |~lg(p)] bits, precompute the poly- 
nomials A(o) = a, A(i) = (a fc _i, a , 0)mod Q, = 
(a fe _i, ...,a ,0,0)mod Q, ... , A (fe) = (a fc _i, a , 0, 0)mod Q. All 

those polynomials are of degree k — 1 at most. 

2. Take the product modulo p of xi with the coefficients of A^ for < 
i < k. 

3. Add modulo p the coefficients of each polynomial XiA^ to obtain the 
resulting polynomial r. 



(a fc _i ... ai a ) 

•(fffc-i •■■ gi ^o) 

+[x • [(afc-i ••• a,i ao) mod Q] mod p] 

+[x 1 ■ [(afe_i ... ai a 0) mod Q] mod p] 

+ [^2 ' [( a fc-i • • • ai a 0) mod Q] mod p] 

+ [xk-i ■ [(afc-i ■■■ ai «o . . . 0) mod Q] mod p] 
(r fc _i ... n r ) 

Figure 12: The product of two polynomials in GF(p k ) 

As was the case for GF(2 n ), the polynomials a and Q are classical values 
given beforehand, as is the value p. 

4.1 The adder gate for GF(p k ) 

The adder gate for GF(p fe ) is more complicated than that for GF(2 n ) since 
we will have to use adders modulo p gates instead of XOR gates. We will 
thus make use of the adder modulo p developed for the GF(p) case. 

We want to build a gate that adds a classical value a to a quantum value 
\z) where a and \z) are elements of GF(p fc ). The quantum value \z) is given 
as an n = fc[lg(p)] qubit register made of k smaller registers of |~lg(p)~| qubits 
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each. These sub-registers are noted \z ) through |zfc_i). The classical value 
a is a list of k numbers of |~lg(p)] bits, noted a through a^i- To get the 
adder gate for GF(p k ), we only have to use the adder gate for GF(p) on every 
sub-registers \zj) to add the classical value to \zj) (Figure [T2J) - 




Figure 13: The adder for GF(p k ). Since this gate will have to be controlled, 
the adder modulo p gates are implemented sequentially. This also permits the 
recycling of ancillary qubits. 

Of course, the input \z) has to be a quantum superposition of elements 
of GF(p k ) for the gate to behave properly. The adders modulo p used in the 
adder for GF(p k ) can be made from carry-sum adders or from 0-adders. 

If the carry-sum adders are used as building blocks, the number of qubits 
needed for the GF(p k ) adder is n+ \lg(p)~\ + 1. This comes from n = k\lg(p)~\ 
qubits for the quantum input and |~lg(jo)l + 1 qubits in state |0) used as 
working space. The number of elementary gates needed is O(n) and the 
depth is also O(n). 

Using the 0-adders as building blocks, we need only n + 2 qubits for 
the whole GF{p k ) adder. To accomplish this however, we need to reuse two 
ancillary qubits for every modular 0-adder gates throughout the circuit. We 
thus have to apply the QFT before and the invert QFT after every modular 
0-adder gate. This is because one of the ancillary qubits will be used to 
prevent overflows, so it has to be part of the QFT. The other qubit is the one 
needed by the modular 0-adder and is readily reusable after every modular 
0-adder gate. This method lets us recover the two ancillary qubits and reuse 
them for the next modular 0-adder. The number of elementary gates is then 
0(nlg(p)) in a depth of 0{n). 
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4.2 The controlled multiplication gate for GF(p fc ) 

We now use the adder gate for GF(p k ) to build an add-mult gate for GF(p k ). 
Since the polynomials a and Q are classical values given beforehand, we can 
precalculate the values of item d in section HJ Furthermore, we can 
calculate the values 2- ? y4(j)Hiod Q with < i < k and < j < |~lg(p)~|. We 
end up with n polynomials 2^ Au-jmod Q, each of which is a list of k integers 
less than p. 

Each qubit of each sub- register will control an adder gate for GF(p k ) 
on the output qubits. The classical values to be added by these modular 
adders depend on i and the position j of the qubit inside \xi). Explicitly, 
qubit j of \xi) will control an adder gate for GF{p k ) on the output register 
where the classical value added is the polynomial 2-M(j)mod Q. The add- 
mult gate for GF{p k ) consists of k adder modulo p gates for each qubits of 
\x) for a total of /c 2 |Tg(p)] = kn adder modulo p gates (Figure HU). 



*o>{ 



A 
D 
D 

2°A, f 



A 
D 
D 

2%, 



A 
D 
D 

2 2 A„ 



A 




A 




A 


D 




D 




D 


D 




D 




D 










2 A (k) 



Ha-x)) 



\ x y 



A 
D 
D 
M 
U 
L 
T 
(a) 



\x) 

\z+(a.x)) 



Figure 14: The add-mult for GF(p k 



As mentioned earlier, we are free to use either the modular adder (Fig- 
ure El) or the modular 0-adder (Figure to implement the adder modulo p. 
If we choose the latter, we have to perform the quantum Fourier transform 
on the output register before and after the circuit shown in figure El 

Once we have the add-mult gate for GF(p k ), we are in a familiar situation. 
We can easily use the trick with the controlled swap to get the controlled 
multiplication on GF(p k ) as in figure ^2 The controlled multiplication for 
GF(p k ) built from carry-sum adders requires 2n + |~lg(p)] + 2 qubits and 
0(n 2 ) elementary gates in a depth of 0(n 2 ). 



14 



If 0-adders are used instead, we need 2n + 3 qubits and 0(n 2 lg(p)) ele- 
mentary gates in a depth of 0(n 2 ) to implement the controlled multiplication 
for GF(p*). 

5 Complexity analysis 

We now compare the complexity of the controlled multiply circuits on GF(p), 
GF(2 n ) and GF(p k ). In order for the comparisons to make sense, we take 
[lg(p)l = n for the GF(p) case and fc[lg(p)] = n for the GF(p fc ) case. 

To assess the complexity of the controlled multiplication circuits, we count 
the number of qubits, the number of elementary quantum gates and the 
depth needed for each circuit. The one qubit gates needed for these circuits 
are the NOT gate, the phase-shift gate and the Hadamard gate. Also needed 
are NOT gates controlled by up to four qubits for the circuits using the 
carry-sum method of addition, and phase-shifts and NOT gates controlled 
by one or two qubits for the circuits with the 0-adders. Even though some of 
these gates are technologically more challenging than others, they all can be 
simulated by a constant number of controlled- nots and one-qubit gates [3], 
and are thus considered elementary. The exact gate count and depth are 
given in the appendix. 



Type of adder 


Width 


Size 


Depth 


Carry-sum adder 


2n 


O(n) 


O(n) 


gadder 


n + 1 


O(n) 


1 


Doubly controlled carry-sum adder 


2n + 2 


O(n) 


O(n) 


Doubly controlled 0-adder 


n + 3 


O(n) 


O(n) 



Table 1: The complexity of addition of inegers to quantum values without over- 
flows. 

5.1 Controlled multiplication in GF(p) 

For the multiplication on GF(p), we take p such that |~lg(p)] = n, that is p 
is an n-bit prime integer. 
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5.1.1 Using the carry-sum adder 

The carry-sum adder for integers that adds a classical value to a quantum 
one uses 2n qubits, 0(n) quantum gates and has a depth of 0(n). For the 
GF(p) adder controlled by two qubits, we need 2n + 3 qubits, 0(n) gates 
and a depth of 0(n). The controlled multiplication circuit for GF(p) thus 
needs 3n + 2 qubits and 0(n 2 ) gates in a depth of 0(n 2 ) with the carry-sum 
method of addition. 

5.1.2 Using the 0-adder 

The 0- adder for integers requires only n qubits and O(n) gates in constant 
depth if we do not count the quantum Fourier transforms. Most of the time, 
the QFT are not needed before and after the 0-adders because the additions 
are applied successively. However, we need QFTs in the 0-adder for GF(p), 
which takes a total of n + 4 qubits and 0(n 2 ) gates in a depth of O(n). The 
controlled multiplication circuit for GF(p) thus needs 2n+3 qubits and 0(n 3 ) 
gates in a depth of 0(n 2 ) using the 0-adders. 

5.2 Controlled multiplication in GF(2 n ) 

The arithmetic in GF(2 n ) are much simpler than in the other cases because 
we never have to worry about carries. For GF(2 n ), the adder requires only 
n qubits and O(n) gates in constant depth. The doubly controlled modular 
adder requires n + 2 qubits and O(n) gates in constant depth. The whole 
controlled multiplication gate requires 2n + 1 qubits and 0(n 2 ) gates in a 
depth of 0(n 2 ). 

5.3 Controlled multiplication in GF(p k ) 

For the multiplication in GF(p k ), we take A;[lg(jo)] = n, so the elements of 
the field GF(p k ) are lists of k integers, each of them having at most n/k bits. 

5.3.1 Using the carry-sum adder 

We don't have to build a new adder circuit for GF(p fc ) because we use k 
adders for GF(p). We first consider the case where these GF(p) adders use 
the carry-sum method. The doubly controlled adder for GF(p h ) requires 
n + \lg(p)] + 3 qubits and 0(n) gates in a depth of O(n). The controlled 
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multiplication for GF(p fc ) then requires 2n + |~lg(p)] + 2 qubits and 0(n 2 ) 
gates in a depth of 0(n 2 ). 

5.3.2 Using the 0-adder 

We can use the 0-adder for the GF(p) additions when building the modular 
adders for GF(p k ). This results in a doubly controlled adder for GF(p k ) 
of n + 4 qubits and 0(nlg(p)) gates in a depth of O(n). The controlled 
multiplication circuit then requires 2n + 3 qubits and 0(n 2 lg(p)) = 0(n 3 /k) 
gates in a depth of 0(n 2 ). 
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Table 2: The complexity of quantum arithmetic, with I = [lg(p)~|. 



6 Conclusions 

The complexity results of this paper are summarized in Table 2. From this 
table, we can observe that the case GF(g) and the GF(p fc ) for equivalent 
key sizes (i.e. n = \gq = klgp) case are equivalent in terms of the quantum 
resources needed to implement a controlled multiplication circuit; the number 
of qubits required is exactly the same, and only a small constant separate 
the total circuit size. This equivalence is independent of whether we choose 
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the carry-sum adders, which minimize the number of gates, or the 0-adders, 
which minimize the total number of qubits required. 

From this, we can deduce that from the point of view of protection against 
quantum cryptanalytic attacks based on Shor's algorithm, no significant 
cryptographic advantage can be extracted from using the more complicated 
GF(p fc ) instead of GF(q). On the other hand, fewer qubits and less gates are 
required for the GF(2 n ) case, due to the fact that we need not keep track of 
carries. Thus, there would some disadvantage in using this kind of field, in 
terms of protection against quantum attacks. 
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A Exact complexity analysis 



We give the exact analysis of the number of elementary gates and depth of 
each circuit here. 

A.l Notation 

The circuits we developed require three kinds of one-qubit gates: the NOT 
gate, the phase-shift gate and the Hadamard gate. These are noted respec- 
tively N, P and H. Note that for each phase-shift gates, there is a parameter 
by which the phase of |11) is multiplied and will not be explicitely taken into 
account in our analysis. For the circuits where the 0-adders are used, we also 
need singly and doubly controlled P gates, respectively noted CP and C 2 P, 
as well as controlled-NOT and controlled-controlled-NOT gates (or Toffoli 
gates), noted CN and C 2 N. For the circuits where the carry-sum adders are 
used, NOT gates with up to four control bits are used. The notation for these 
gates will obviously be C 3 N and C 4 N. All these gates can be simulated by 
a constant number of one qubit gates and CN gates. 

A.2 Circuits for GF(p) 

The circuits for GF(p) are analyzed with n = |~lg(p)~|. We consider two 
different ways to implement addition on GF(p), that is the carry-sum method 
and the </>-adder method, and each leads to different complexity issues. 

A. 2.1 The carry-sum adder for integers 

The carry-sum adder is given in figure Each classical bit has a probability 
\ of being and \ of being 1. 

Carry (on average) : 

Number of qubits = 3 

Number of gates = 1 C 2 N + \ CN + § N 

Depth = 2 

Sum (on average) : 

Number of qubits = 2 
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Number of gates = 1 CN + | N 
Depth = | 

The gates shown in figure ^ are not all needed. The first qubit in the 
state |0) can be removed from actual implementation since it only acts as a 
control qubit, it will thus not be accounted for. All gates controlled by this 
qubit are also removed. Furthermore, we can remove some more gates that 
cancel each other: the two classically controlled N from the top carry and 
inverse carry gates as well as the lone classically controlled N at the bottom 
of the circuit with the one inside the bottommost sum gate. We are left with 
(2n — 3) carry gates, (n — 2) Sum gates, 2 CN and | N. The numbers given 
here are only valid for n > 2 because of the optimization of the carry-sum 
adder. 

Carry-sum adder (on average) : 
Number of qubits = In 

Number of gates = (2n - 3) C 2 N + (2n - §) CN + (§n - 2) N 
Depth = - f 

The singly controlled carry-sum adder is a carry-sum adder with one more 
qubit as a control qubits. The important thing to realize is that we only need 
to control the sum gates and the bottommost carry gate to get the singly 
controlled carry-sum adder since the other gates implement the identity if 
the afore- mentioned gates are removed. We end up with (2n — 4) carry gates, 
1 controlled carry gate, (n — 2) controlled sum gates, 1 C 2 N and | CN. 

Singly controlled carry-sum adder (on average) : 
Number of qubits = 2n + 1 

Number of gates = 1 C 3 N+(3n-f ) C 2 N+(|n-l) CN + (ri-2) N 
Depth = - f 

The doubly controlled carry-sum adder is a carry-sum adder with two 
control qubits. Again, only the sum gates and the bottommost carry gate 
need to be controlled. We thus have (2n — 4) carry gates, 1 doubly controlled 
carry gate, (n — 2) doubly controlled sum gates, 1 C 3 N, 5 C 2 N and 1 CN. 
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Doubly controlled carry-sum adder (on average) : 
Number of qubits = 2n + 2 

Number of gates = 1 C 4 N + (n - §) C 3 N + (f n - 4) C 2 N + (n - 
l)CN+(n-2)N 

Depth = fn-f 
A.2.2 The adder for GF(p) 

The adder for GF(p) is like the doubly controlled adder of figure|B]but without 
the control qubits. It consists of five carry-sum adders, one of which is 
controlled by a single qubit. Two N and two CN complete the circuit. 

Adder for GF(p) : 

Number of qubits = In + 1 

Number of gates = 1 C 3 N + (lln - f ) C 2 N + (f n - 5) CN + 

(7n - 8) N 

Depth = f n - f 
A. 2.3 The doubly controlled adder for GF(p) 

The doubly controlled adder for GF(p) is shown in figure El It consists of 
five carry-sum adders, that is three which are controlled by two qubits, one 
which is controlled by one qubit and one which is not controlled. Two N and 
two CN are also needed to complete the circuit. 

Doubly controlled adder for GF(p) : 
Number of qubits = 2n + 3 

Number of gates = 3 C 4 N + (3n - |) C 3 N + (f n - f ) C 2 N + 

(f n - I) CN + (fn - 8) N 

Depth = |n - y 
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A. 2.4 The controlled add-mult for GF(p) 

The controlled add-mult for GF(p) is a modular multiplication obtained by 
successive modular additions (Figure EJ). This circuit takes as inputs a quan- 
tum value \z) and a number of precomputed values depending on classical 
value a. The output of the circuit is the quantum input | z) and a quantum 
register in state \z-a) where ■ is multiplication in GF(p). The circuit is simply 
n doubly controlled modular adder for GF(p) applied one after another. 

Controlled add-mult for GF(p) : 

Number of qubits = 3n + 2 

Number of gates = 3n C 4 N + (3n 2 -±n) C 3 N + (f n 2 -f n) C 2 N + 
(^■n 2 — |n) CN + (y« 2 — 8n) N 

Depth = |n 2 - |n 

A. 2. 5 The controlled multiplication for GF(p) using carry-sum 
adders 

The notable difference between this circuit (Figure EJ) and the controlled 
add-mult is that the controlled multiplication only outputs a register in state 
\z ■ a) instead of keeping the input along with the output. This is important 
for the DLP algorithm to work properly. The controlled multiplication for 
GF(p) consists of the following: a controlled add-mult of the value a, a swap 
of the | z) and \z ■ a) registers controlled by the top qubit and finally a reverse 
controlled add-mult of the value a -1 . A reverse controlled add-mult is a 
circuit where the inverse of the gates for the controlled add-mult are applied 
in the reverse order. 

The controlled swap of the registers are applied to swap n qubits. The 
CN can all be applied in parallel before and after the C 2 N are applied. 

Controlled swap of two registers of n qubits : 

Number of qubits = 2n + 1 
Number of gates = n C 2 N + 2nCN 
Depth = n + 2 

Controlled multiplication for GF(p) (carry-sum method) : 
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Number of qubits = 3n + 2 

Number of gates = 6n C 4 N+ (6n 2 -n) C 3 N+(25n 2 -38n) C 2 N + 
(13n 2 - 5n) CN + (lln 2 - 16n) N 

Depth = 55n 2 — 56n + 2 
A. 2.6 The 0-adder for integers 

The 0-adder is shown in figure El The 0-adder takes two inputs: the quantum 
Fourier transform of an n + 1 qubits register and a classical value a of n bits. 
The (n+l)-qubit register consists in an n-qubit value \z) with an extra leading 
|0) added in. The output will then be the quantum Fourier transform of a + z 
in an (n + l)-qubit register. 

In order to compare with the results for the carry-sum adder, we consider 
again that each classical bits has an equal probability | of being or 1. 
Refering to figure 121 we thus have a probability | of applying a gate on qubit 
\zi), | for qubit \z 2 ), | for \z 3 ) and so on up to \z n ). The probability of 
applying a gate to \z n+ i) is the same as that of \z n ). The expected number 
of phase-shift gates is thus given by 

n 1 1 
Y(l-— ) + (l ) = n 

k=l ~ " 

for the 0-adder. 
0-adder (on average) : 

Number of qubits = n + 1 
Number of gates = n P 
Depth = 1 (n if controlled) 

Singly controlled 0-adder (on average) : 

Number of qubits = n + 2 
Number of gates = n CP 
Depth = n 

Doubly controlled 0-adder (on average) : 

Number of qubits = n + 3 
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Number of gates = n C 2 P 
Depth = n 

A.2.7 The 0-adder for GF(p) 

The 0-adder for GF(p) is like the doubly controlled 0-adder of figure 0] but 
without the control qubits. In addition to the five 0-adders needed for this 
circuit, four QFTs are also required. The sole purpose of these QFTs is to 
access the most significant qubit of the quantum register to detect overflows. 

Quantum Fourier transform on n + 1 qubits : 

Number of qubits = n + 1 

Number of gates = + § ) CP + (n + 1) H 

Depth = 2n + 1 

0-adder for GF(p) : 

Number of qubits = n + 2 

Number of gates = (2n 2 + 3n) CP+4n P + 2 CN + 2 N + (4n + 4) H 
Depth = 9n + 12 

A. 2.8 The doubly controlled 0-adder for GF(p) 

The doubly controlled modular 0-adder for GF(p) is shown in figure 

Doubly controlled </>-adder for GF(p) : 
Number of qubits = n + 4 

Number of gates = 3n C 2 P + (2n 2 + 3n) CP + n P + 2 CN + 2 N + 

(An + 4) H 

Depth = 12n + 9 
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A. 2.9 The controlled 0-addmult for GF(p) 

The controlled 0-addmult for GF(p) is the same as the controlled add- mult 
but with the carry-sum adders replaced with 0-adders (figure EJ). A QFT 
and inverse QFT are needed before and after the circuit shown. These QFTs 
are onn + 1 qubits. 

Controlled 0-addmult for GF(p) : 

Number of qubits = 2n + 3 

Number of gates = 3n 2 C 2 P + (2n 3 + An 2 +n) CP+n 2 P + 2n CN + 
2n N + (An 2 + Qn + 2) H 

Depth = 12n 2 + 13n + 2 

A. 2. 10 The controlled multiplication on GF(p) using 0-adders 

The circuit is given in figure [7| Since we use the 0-adders this time, QFTs 
have to be applied before and after the 0-addmult circuits. 

Controlled-multiplication on GF(p) with 0-adders : 

Number of qubits = In + 3 

Number of gates = Qn 2 C 2 P + (An 3 + 8n 2 + 2n) CP + 2n 2 P + 
n C 2 N + Qn CN + An N + (8n 2 + Yin + 4) H 

Depth = 24n 2 + 27n + 6 
A. 3 Circuits for GF(2 n ) 

The circuits for GF(2 n ) are simpler than those for GF(p) with n = |~lg(p)] 
because there are no carries in GF(2 ra ). 

A.3.1 The adder for GF(2 n ) 

The adder for GF(2") is shown in figure |H1 The input is a quantum value \z) 
to which is added a classical value a, so that the output is a quantum value 
\z + a). All these values are n bits or qubits long. We consider that each bit 
of the classical value a is 1 or with equal probabilities. 

Adder for GF(2 n ) : 
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Number of qubits = n 
Number of gates = | N 
Depth = 1 

A.3.2 The doubly controlled adder for GF(2") 

The fact that the adder has to be controlled by two qubits increases the 
depth and changes the gates to C2N. 

Doubly controlled adder for GF(2 n ) : 

Number of qubits = n + 2 
Number of gates = ~ C 2 N 
Depth = § 

A.3.3 The controlled add-mult for GF(2 n ) 

This circuit is simply a succession of n adders with two control qubits ffig.llOj). 

Controlled add-mult for GF(2 n ) : 

Number of qubits = 2n + 1 
Number of gates = ^ C 2 N 
Depth = ^ 

A. 3.4 The controlled multiplication for GF(2 n ) 

We apply the controlled add-mult of A, the controlled swap and the inverse 
controlled add-mult of A' 1 as in figure ITT1 

Controlled multiplication for GF(2 n ) : 

Number of qubits = In + 1 

Number of gates = (n 2 + n) C 2 N + 2n CN 

Depth = n 2 + n + 2 
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A.4 Circuits for GF(p k ) 



In order to compare with the previous results, we consider GF(p k ) with 
fc|~lg(p)] = n. We don't need new adders for GF{p k ) because we can use 
k adders for GF(p) in parallel instead. 

A. 4.1 The adder for GF{p k ) using carry-sum adders 

This is the adder from figure IT3*1 where the modular adders use the carry-sum 
method. The modular adder are applied successively so that we can reuse the 
same ancillary qubits as work space for each modular adders. The numbers 
given here are valid for p > 2 only. 

Adder for GF(p k ) (carry-sum method) : 

Number of qubits = n + k + [lg(p)] 

Number of gates = k C 3 N + (lln - fk) C 2 N + (f n - 5Jfe) CN + 
(7n — 8k) N 

Depth = f n - f k 

A. 4. 2 The doubly controlled adder for GF(p k ) using carry-sum 
adders 

This is the previous circuit with two control qubits. 
Doubly controlled adder for GF(p k ) (carry-sum method) : 
Number of qubits = n + k + |~lg(p)] + 2 

Number of gates = 3A; C 4 N + (3n - \k) C 3 N + (f n - fk) C 2 N + 
(fn-lk) CN+(fn-Sk) N 

Depth = fn-fk 

A. 4. 3 The controlled add-mult for GF(p k ) using carry-sum adders 

This is figure El with carry-sum adders as the building blocks. It is simply 
a series of n instances of the previous circuit. 

Controlled add-mult for GF(p k ) (carry-sum method) : 
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Number of qubits = 2n + k + |~lg(p)] + 1 

Number of gates = 3nk C 4 N + {3n 2 - \nk) C 3 N + (f n 2 - 
^-nk) C 2 N + (|n 2 — \nk) CN + {^n 2 — 8nk) N 

Depth = |n 2 - ^nA; 

A. 4. 4 The controlled multiplication for GF(p k ) using carry-sum 
adders 

This is the same as what is shown in figure ^2 but with the add-mult for 
GF(p k ). 

Controlled multiplication for GF(p k ) (carry-sum method) : 
Number of qubits = 2n + k + |~lg(p)] + 1 

Number of gates = 6nk C 4 N + (6n 2 - nk) C 3 N + (25n 2 - 39nk + 
n) C 2 N + (13n 2 - Ink + In) CN + {\\n 2 - Vonk) N 

Depth = 55n 2 - 57nk + n + 2 
A.4.5 The 0-adder for GF(p fc ) 

This is the adder from figure IT^l where the modular adders are 0-adders. The 
QFT and its inverse need to be applied respectively before and after each 
0-adders so that we can recover the two qubits of work space needed for each 
modular adders. The modular adders are applied one after another. 

0-adder for GF{p k ) : 

Number of qubits = n + 2 

Number of gates = (3n \\g(p)] + 4n) CP + An P + 2k CN + 2k N + 
(6n + 6k) H 

Depth = 13n + Uk 

A. 4. 6 The doubly controlled </>-adder for GF(p k ) 
This is the previous circuit with two control qubits. 

Doubly controlled </>-adder for GF(p k ) : 
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Number of qubits = n + 4 

Number of gates = 3n C 2 P + (3n[lg(p)] +4n) CP+n P + 2A; CN + 

2k N + (6n + 6Jfe) H 

Depth = 16n + HA; 

A. 4. 7 The controlled add-mult for GF(p fc ) using 0-adders 

This is shown in figure H3J but this time we use 0-adders as building blocks. 
It is again simply a series of n instances of the previous circuit. 

Controlled add-mult for GF(p k ) with 0-adders : 
Number of qubits = 2n + 3 

Number of gates = 3n 2 C 2 P + (3n 2 \\g(p)] + An 2 ) CP + n 2 P + 
Ink CN + Ink N + (6n 2 + 6nk) H 

Depth = 16n 2 + link 

A. 4. 8 The controlled multiplication for GF(p k ) using 0-adders 

Again, this is what is shown in figure ^2 using the 0-addmult for GF(p k ). 
Controlled multiplication for GF(p k ) with 0-adders : 

Number of qubits = In + 3 

Number of gates = 6n 2 C 2 P + (6n 2 flg(p)] + Sn 2 ) CP + In 2 P + 
n C 2 N + (4nfc + 2n) CN + Ank N + (12n 2 + 12nA;) H 

Depth = 32n 2 + 22nk + n + 2 
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